0

I'm trying to forbid audio and video calls for some users. Reading documentation i find access rule for mod_stun_disco. So my config looks like this:

 acl:
  local:
    user_regexp: ""
  loopback:
    ip:
      - 127.0.0.0/8
      - 10.10.0.0/16
      - ::1/128
      - ::FFFF:127.0.0.1/128
### split users and admins for acl message shaper and admin login
  admin:
    user:
      - admin@myxmpp.com
      - user1@myxmpp.com
  poweruser:
    user:
      - user2@myxmpp.com


access_rules:
  local:
    allow: local
  c2s:
    deny: blocked
    allow: all
  announce:
    allow: admin
  configure:
    allow: admin
  muc_create:
    allow: local
  pubsub_createnode:
    allow: local
  trusted_network:
    allow: loopback
  stundisco:
    allow: poweruser
    deny: all

  mod_disco: {}
  mod_stun_disco:
    credentials_lifetime: 12h
    offer_local_services: false
    access: stundisco
    services:
        -
          host: 10.10.10.10
          port: 3478
          type: stun
          transport: udp
          restricted: false
        -
          host: 10.10.10.10
          port: 3478
          type: turn
          transport: udp
          restricted: true

But this don't restrict admin and user1 to make audio or video calls. This is part of ejabberd log:

2022-06-11 15:11:08.442999+02:00 [debug] <0.586.0>@supervisor:report_progress/2:1562 PROGRESS REPORT:
    supervisor: {local,ejabberd_gen_mod_sup}
    started: [{pid,<0.614.0>},
              {id,mod_stun_disco_4a85c490},
              {mfargs,
                  {gen_server,start_link,
                      [{local,mod_stun_disco_4a85c490},
                       mod_stun_disco,
                       [<<"myxmpp.com">>,
                        #{access => stundisco,
                          credentials_lifetime => 43200000,
                          offer_local_services => false,secret => undefined,
                          services =>
                              [{service,undefined,undefined,
                                   {10,10,10,10},
                                   <<>>,<<>>,3478,false,udp,stun,<<>>,
                                   undefined},
                               {service,undefined,undefined,
                                   {10,10,10,10},
                                   <<>>,<<>>,3478,true,udp,turn,<<>>,
                                   undefined}]}],
                       [{max_queue,10000}]]}},
              {restart_type,transient},
              {significant,false},
              {shutdown,60000},
              {child_type,worker}]

So can i use mod_stun_disco access rule to forbid voice and video calls or there is something else i need to do? Thanks.

vladosam
  • 1

1 Answers1

0

Your configuration looks correct for this purpose. I installed ejabberd 22.05, configured similarly to what you show, and it works as expected: the admin user gets a forbidden error when sends this query. And user2 gets the configured services with that query.

Maybe you forgot to reload configuration/restart ejabberd after chaning it? Or modified a configuration file that ejabberd is not reading at all (maybe there are several config files from older installments...). Or maybe you are using an older ejabberd version, which may have some bug... you didn't mention what ejabberd version you are using.

Badlop
  • 580
  • 3
  • 5
  • Thanks for your reply. I'm using 22.05 version of ejabberd, also i restarted ejabberd service multiple times, even restarted server but as soon as i add user in conversations app, even if he is in deny group, he can make audio and video calls. I removed all configs from previous ejabberd instalations also. Is there anything else i can try? – vladosam Jun 13 '22 at 08:04
  • also in ejabberd.log i see that access in commented out like this ` mod_stun_disco, [<<"myxmpp.com">>, #{access => stundisco, credentials_lifetime => 43200000, offer_local_services => true,secret => undefined, ` Do you have that in your ejabberd.log? Can you share your full ejabberd config so i can compare it? Thanks – vladosam Jun 13 '22 at 16:26
  • Notice that I only checked if the user can see the configured services or not in the Services Discovery in my XMPP client (Tkabber, I think Gajim and Psi will show that too). And you only checked if the user can make audio/video calls. – Badlop Jun 15 '22 at 22:04
  • Yes I understand now. I use my ejabberd server in intranet and I don't know why I thought that access_rules will block users from accessing stun server. Stupid me. – vladosam Jun 16 '22 at 11:39